RESEARCH REPORT – DECEMBER 2015
How Technology
is Shaping
Internal Auditing
Insights from the UAE
Sponsored by
UAE Internal Auditors Association
Information included in this report is general in nature and is not intended to refer to or address an specific
entity. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form
by any means—electronic, mechanical, photocopying, recording, or otherwise—without prior written permission of the UAE Internal Auditors Association. Requests for permission should be sent to Samia Al Yousuf at
samia@iiauae.org
Published by the UAE Internal Auditors Association
Office 1503, 15th Floor, API Trio Tower
Dubai, United Arab Emirates
About the UAE Internal Auditors Association
The UAE Internal Auditors Association (UAE-IAA) was set up in July 1995 as a non-profit organization
and is the official affiliate of Institute of Internal Auditors (IIA) in the United Arab Emirates. Our vision is
to be a leading association that promotes innovation and excellence in internal auditing. Our mission is
to provide dynamic leadership to advocate and promote the profession of internal auditing throughout
the UAE. The UAE-IAA offers regular training programs, workshops, seminars and an annual conference
with the objective of promoting the profession within the business community. In addition, we work
with regulators to increase awareness of internal audit and internal audit standards. The UAE-IAA has the
support of leading companies and professional services firms in the UAE who actively participate in the
UAE-IAA’s efforts to promote the profession of internal auditing.
Project Task Force
Abdulqader Obaid Ali, CFE, CRMA, QIAL
Farah Araj, CPA, CIA, CFE, QIAL
Issam Zaghloul, CISA, CISSP, CGEIT
Avinash Totade, CISA, CGEIT, CISSP, CIW, MCSE
Authors
Munir Majdalawieh, Ph.D.
Yass A. Alkafaji, DBA, CPA, CFE
Reviewers
Issam Zaghloul, CISA, CISSP, CGEIT
Farah Araj, CPA, CIA, CFE, QIAL
About the Research Report Sponsors
Wolters Kluwer is a global information services company enabling legal, tax, finance, and healthcare
professionals to be more effective and efficient. Wolters Kluwer provides information, software, and
services that deliver vital insights, intelligent tools, and the guidance of subject-matter experts to clients
in over 40 countries.
TeamMate is part of Wolters Kluwer and as the world’s leading audit management software, TeamMate
has revolutionised the industry, empowering audit departments of all sizes to spend less time
documenting and reviewing and more time providing value-added services. TeamMate’s award-winning
audit management software system increases the efficiency and productivity of the entire internal audit
process, including: risk assessment, scheduling, planning, execution, review, report generation, trend
analysis, audit committee reporting and storage.
By providing an integrated paperless strategy for managing audits, TeamMate’s audit software eliminates
the barriers associated with paper-filled binders and disconnected electronic files, driving efficiencies into
all facets of the internal audit workflow.
Find out what more than 100,000 auditors from more than 2,500 organisations across the globe have
already discovered. Visit us online at www.teammatesolutions.com.
How Technology is Shaping Internal Auditing
Contents
Acknowledgements
4
Foreword
5
Executive Summary
6
Introduction
8
Section 1: IT Audit Staffing Levels and Specializations
Academic Major
Professional Certificates
IT Skills that the Internal Audit Departments are Recruiting
IT Audit Specialization and Sourcing
12
13
14
14
16
Section 2: Understanding & Responding to Technology Risks
IT Risk as a Top Five Organizational Risk
IT Risk as Part of Internal Audit Plans
IT Governance Activity
Audit Activities Relating to IT Security
Audit Activities Relating to Emerging IT Areas
IT Audit Trends Over the Next 2 – 3 Years
17
18
19
20
21
24
25
Section 3: Using Technology to Enhance Internal Audit Processes
Level of Reliance on Technology to Support Internal Audit Processes
Technologies used by Internal Audit
Internal Audit Usage of Data Mining or Data Analytics
Internal Audit Usage of Continuous Auditing
27
28
29
30
32
Conclusion
34
References
37
Appendix 1 - Survey Participants Demographics
38
About the Authors
41
UAE Internal Auditors Association
Acknowledgements
The UAE Internal Auditors Association (UAE-IAA) is pleased to release this research report on How
Technology is Shaping Internal Auditing which is based on the CBOK 2015 Global Internal Audit
Practitioner Survey (Survey) carried out by The Institute of Internal Auditors (IIA) Research Foundation.
This is the second research report issued by the UAE‑IAA and also the first research report covering the
linkages between information technology and internal auditing in the UAE.
This research report would not have been possible without the huge support and contributions of many
people. Firstly, I would like to express my thanks to the report’s authors, Dr. Munir Majdalawieh and Dr.
Yass Alkafaji who worked tirelessly over a period of six months to deliver this excellent report. Also, my
appreciation extends to the project task force, who provided direction to the authors and oversaw the
research process.
Secondly, I would like to thank the driving force behind this project, Issam Zaghloul and Farah Araj, who
proposed the research topic, project managed the team, reviewed the report, conducted the interviews
with the experts, and provided insights from the internal audit practitioner point of view on the report
findings & recommendations.
Most importantly, I would like to thank each of the 361 internal auditors who took time from their busy
schedules to anonymously participate in the survey and support the research initiative. Without their
participation this research report would not have become a reality. I am also very grateful to the senior
executives who participated in the post survey interviews, shared their experience and gave a real world
perspective on the survey’s topics. In this regard, I would like to thank the following individuals, as well as
those who participated in the interviews anonymously:
• A
dil Buhariwalla, Managing Partner – MACS International and member of the Institute of Internal
Auditors’s Committee of Research and Education Advisors
• Aldrin Sequeira, Chief Internal Audit Officer at Jumeirah Group
• Susheel Raje, Head of Internal Audit, Commercial Bank International
• Torben Hilbertz, Vice President Internal Audit, Abu Dhabi Airports
Last but not least, this report would not have been published without the sponsorship and the support of
Wolters Kluwer. On behalf of the UAE-IAA, I extend my sincere thanks to Sarah Myers and Michael Gowell
for stepping forward and offering their support to the Project Task Force and also for providing insights on
the survey’s results.
I am really proud of how the members & supporters of the UAE-IAA encouraged us to develop original
research. I hope that we can continue to work together to produce UAE specific insights on an annual basis.
AbdulQader Obaid Ali
President
UAE Internal Auditors Association
4
How Technology is Shaping Internal Auditing
Foreword
I am pleased to have the opportunity to work with the UAE-IAA and contribute to this important
research study on How Technology is Shaping Internal Audit. Tackling such a dynamic and
challenging topic as technology is further testament as to how the Institute of Internal Auditors is
committed to advancing the internal audit profession in the UAE and globally. The lessons learned
from this research will help internal auditors around the world understand the technology strategy
and skills needed to have a world class internal audit function.
As we all know, technology is evolving at an ever-increasing pace and has many applications as
well as implications for internal audit. When it comes to understanding technology risks, there has
never been a more challenging time to be an auditor. While the IT environment is indeed bringing
new challenges to internal audit, technology is also helping drive unprecedented benefits to those
internal audit departments that have successfully deployed these advances into their audit process.
Wolters Kluwer research, however, indicates that there is a significant gap between the importance
that audit leaders place on technology and their success in effectively using it.
This UAE-IAA research report, which takes a closer look at three critical technology areas
(audit capabilities as they relate to IT, IT risks, and internal audit technology tools) provides an
excellent framework to help internal auditors better understand the expectations, challenges and
opportunities related to technology.
I have been working in the field of internal audit technology for 25 years and have seen first-hand
the direct linkage between the effective use and understanding of technology and world class audit
departments. In my experience, internal audit departments that treat technology as a top-down
strategic imperative are the most successful in enhancing and expanding not only their use of
technology, but their effectiveness in auditing IT-related risks.
I am certain that you will find the information that the UAE-IAA has presented in this research study
as valuable as I do. I would encourage you to take the lessons learned from this research to shape
your internal audit technology strategy.
Michael Gowell
General Manager and Senior Vice President, TeamMate
Wolters Kluwer
5
UAE Internal Auditors Association
Executive Summary
Technology is not only changing the business world, it is changing the internal auditing profession. It is
changing the way internal audits are conducted as well as the risks and processes being audited. It is also
changing the skills that are required to have an effective internal audit function. In today’s world, internal
audit and technology need to go hand in hand.
Over the past 2 decades, Internal audit functions have been regularly auditing established information
technology (IT) areas such as IT general controls, service delivery, applications, infrastructure, IT projects
and IT governance. Since then new technologies have also given rise to a new set of emerging risks
associated with trends such as Big Data, Cybersecurity, Cloud Computing, Social Media and others.
Internal audit is now expected to deliver value to the organisation in these areas and traditional audit
methods may not be able to produce the quality work needed to assure stakeholders. As a result,
internal auditors have had to deploy new tools, such as Data Analytics & Continuous Auditing, in order to
provide assurance & insight on current and emerging IT risks.
Our world is constantly changing and internal auditors need to stay up to date and understand how new
technological innovations are impacting internal audit and how we can continue to remain relevant.
How Technology is Shaping Internal Auditing: Insights from the UAE, aims to provide an in depth analysis
of IT auditing in the UAE and how the UAE compares with rest of the world when it comes to IT
auditing. The report will look at internal audit departments in the UAE and understand IT audit staffing
& certifications, the top current & emerging IT risks, and the IT tools that internal auditors are using to
improve the quality & speed of audits.
A summary of the main findings from our research is as follows:
Section 1: IT Audit Staffing Levels and Specializations
• W
hen it comes to staffing levels, the UAE is at par with internal auditors globally with around a tenth
of internal auditors in the UAE coming from a technical IT background.
• Internal auditors specialized in IT audit in the UAE have double the percentage of IT audit and security
qualifications (e.g. CISA, CISSP, etc..) as compared to internal auditors globally.
• C
AEs in the UAE are looking to hire internal auditors with IT auditing skills such as cybersecurity &
privacy, data mining & analytics, and IT in general. However, these skills are not among the top five
skills which they are hiring for.
Section 2: Understanding & Responding to Technology Risks
• O
nly a small percentage of internal audit plans in the UAE is dedicated to IT risks, and almost half of the CAEs surveyed believe that this will not change in 2015.
• Surprisingly, there are some internal audit departments in the UAE that do not conduct audits of IT or related areas.
• IT risk does not seem to be high on the agenda of executive management, while internal audit departments consider IT risks among the top 5 risks which they will focus their attention on.
• While most internal audit departments carry out reviews of IT Governance, there is still room for improvement in this area
6
How Technology is Shaping Internal Auditing
• U
AE internal auditors focus more on IT security than do internal auditors globally in the areas of physical security, cybersecurity and website security. The area of least focus with regard to IT security is social media.
• Firewall reliability, data breaches or online disruption that can damage organization’s brand are the technologies with the most inherent risk exposure in the UAE.
• The vast majority of internal auditors in the UAE believe that internal audit focus on cybersecurity will increase over the next 2 – 3 years.
“Technology is now the way we do business and has to be an integral
part of internal auditing.”
Susheel Raje, Head of Internal Audit at Commercial Bank International
Section 3: Using Technology to Enhance Internal Audit Processes
• T he UAE is outperforming internal auditors globally as more than half of UAE internal auditors indicated that they extensively use technology across the entire audit process.
• Electronic working papers are the most extensively used information technology tool.
• Technology is most extensively used by internal auditors in the financial sector and public sector.
Similarly, the larger the internal audit department the more likely it is that they heavily rely on
information technology across the entire audit process.
• The majority of UAE internal auditors use data analytics and use continuous/real time monitoring
extensively or moderately.
This report will help internal auditors compare their internal audit department to other internal audit
departments in the UAE and globally. Internal auditors can use this report to educate stakeholders on
the key IT risk areas that should be part of the internal audit department’s scope, to promote the use
of technology within the internal audit department, and to improve the IT audit capabilities of the
internal audit team if required. In addition, the report provides CAEs with useful recommendations
from experienced internal audit leaders on how to improve IT risk capabilities and manage stakeholder
expectations.
7
Introduction
8
How Technology is Shaping Internal Auditing
Internal auditors need to provide assurance to the board of directors and to management that
risks, including information technology (IT) risks, are being appropriately managed in line with the
organization’s risk appetite. In addition to its core assurance role, internal audit is being asked to “deliver
deeper insights and value beyond assurance, particularly in the areas of strategic execution, emerging risk,
and increasingly the use of analytics” (Hatherell, 2014). When it comes to delivering value and insights, IT
is an area where internal auditors can easily break out of their comfort zone both in terms of audit areas
and using technology to increase audit efficiency & effectiveness.
Also, as IT continues to integrate into business processes and daily activities, risks associated with the use
of IT have attracted the attention of the media as well as regulators in the UAE. Laws at both the federal
and emirate level have been passed to regulate technology usage and to boost information security. IT
risks are now not only part of the corporate world but part of the world as a whole.
Research Approach
This report analyses responses from internal audit practitioners in light of leading practices and the
International Standards for the Professional Practice of Internal Auditing (Standards) issued by the
Institute of Internal Auditors (IIA), in order to help internal auditors better understand the expectations
and challenges related to using technology and auditing technology risks.
The results and analysis in this report are based on responses from the CBOK 2015 Global Internal Audit
Practitioner Survey (Survey), the largest survey of internal auditors in the world, as well as interviews with
internal audit leaders operating in the UAE. The Survey was completed by over 14,000 internal auditors
around the world, including over 350 from the UAE. Details of survey demographics are presented in
Appendix 1.
To perform the analysis, we analyzed the Survey based on the overall UAE results, and compared the
outcome with the results we obtained from Global respondents in order to arrive at a comprehensive
understanding on how technology is transforming internal auditing in the UAE. Furthermore, we
conducted interviews with internal audit leaders in the UAE to comment on the findings and obtain their
insights and recommendations.
“As a CAE you should always look for and assess whether a technology is available
to make your work more efficient and more effective. If business has improved and
your function has not over the years, are you an effective audit function?”
Torben Hilbertz, VP Internal Audit at Abu Dhabi Airports
Research Objectives
While there are numerous studies across the globe on IT in the context of internal auditing, there is very
limited research on this area in the UAE and, thus, this report comes to fill this gap. This report takes a closer
look at IT related questions and responses from the Survey in order to answer 3 main questions:
1. What IT specializations do internal auditors have and what IT skills are being recruited? (Section 1)
2. What are the main IT risks internal auditors are focusing on and how will that change in the next 2 – 3
years? (Section 2)
3. What technology tools are internal auditors using to improve their efficiency and effectiveness?
(Section 3)
The report will also aim to compare, where possible, the results of UAE internal auditors to those of internal
auditors globally.
9
UAE Internal Auditors Association
Institute of Internal Auditors Standards Relating to Technology
Technology is an integral part of the Standards. The Standards list 3 implementation standards that
mandate the responsibilities of internal auditors pertaining to technology:
• 1210 – Proficiency (1210.A3) – Internal auditors must have sufficient knowledge of key information
technology risks and controls and available technology-based audit techniques to perform their
assigned work. However, not all internal auditors are expected to have the expertise of an internal
auditor whose primary responsibility is information technology auditing.
• 1220 – Due Professional Care (1220.A2) – In exercising due professional care internal auditors must
consider the use of technology-based audit and other data analysis techniques.
• 2110 – Governance (2110.A2) – The internal audit activity must assess whether the information
technology governance of the organization supports the organization’s strategies and objectives.
In addition, and as part of the Recommended Guidance of the Institute of Internal Auditors’s International
Professional Practices Framework, there are several Practice Guides on technology such as the Global
Technology Audit Guides and the Guide to the Assessment of IT Risk. These Practice Guides dive deeper
into specific IT issues and provide guidance on how to conduct internal audits in these areas.
Overview of the Report
In Section 1, we focus on the capabilities of internal audit departments as they relate to IT. We will look at
the IT related responses to the following questions:
• Do you have an IT audit or security certification?
• Do you have a technical specialization in IT or do you spend a majority of your time working on IT?
• What skills are the internal audit departments recruiting or building?
In Section 2, we explore IT risks and look at the types of risks and the amount of time spent by internal
audit on IT risk. The applicable questions are:
• Is IT risk one of the top five risks on which executive management or internal audit is focusing the greatest level of attention in 2015?
• What percentage of your 2015 audit plan is dedicated to IT risk and is this an increase compared to your 2014 audit plan?
• What is the extent of internal audit activity related to IT security?
• What are your views on the risks from emerging IT areas?
• Where do you think IT audit activities will be directed in the next 2 – 3 years?
10
How Technology is Shaping Internal Auditing
In Section 3, we examine the tools internal auditors are using to enhance internal audit processes and
results:
• H
ow would you describe the use of technology to support internal audit processes at your
organization?
• What are the technology tools you use when conducting internal audit activities and how extensive
do you use them?
• Does your internal audit department use data mining or data analytics in internal audit activities?
Technology has already become an integral part of internal audit activities and processes. Internal
auditors who can’t keep up with the pace of change risk falling behind and becoming irrelevant. This
report gives UAE practitioners a fresh perspective on the nature of IT risks being addressed and the extent
of the use of technology in the internal audit activities and will help them discover areas where they can
grow professionally and increase their value to their organizations. It will also provide a benchmark that
Chief Audit Executives (CAE) can use to identify best practices and opportunities for improvement within
their internal audit departments.
11
Section 1
IT Audit Staffing Levels
and Specializations
12
How Technology is Shaping Internal Auditing
According to the International Professional Practices Framework (IPPF), internal auditors are expected to
apply and uphold four principles: integrity, objectivity, confidentiality, and competency. The principle of
competency requires internal auditors to engage only in those services for which they have the necessary
knowledge, skills, and experience. In addition, Institute of Internal Auditors Attribute Standard 1210:
Proficiency states: “Internal auditors must possess the knowledge, skills, and other competencies needed
to perform their individual responsibilities. The internal audit activity collectively must possess or obtain
the knowledge, skills, and other competencies needed to perform its responsibilities.”
The CAE must obtain competent advice and assistance if the internal auditors lack the knowledge, skills,
or other competencies needed to perform all or part of the engagement. The CAE should know what kind
and level of IT skills and competencies are required for auditing the effectiveness of the controls over the
identified business risks.
There has been increased recognition of the importance of having an ongoing improvement and a
balance of both formal education and experience supported with professional certifications and training
to provide quality within the internal audit community. This section examines the internal information
technology auditors’ competencies in terms of: academic major, professional certificates, and area of
technical specialization. In addition we examine the skills that the Internal Department needs and explore
the sourcing alternatives.
Academic Major
Survey data showed that internal audit departments in the UAE are equipped with staff from a technical
background who specified computer science or information technology as their academic major.
Those made up 14% of respondents in the UAE and 13% globally. With the ever increasing reliance on
information technology and increased complexity of computer installations, internal audit departments
can no more rely on generalist auditors to provide assurance in the areas related to information
technology. A solid IT knowledge foundation (e.g. obtained from IT academic study or actual IT work
experience) seems to be necessary to meet the internal audit mandate. “When you hire IT auditors
you need people with core technology experience in addition to relevant certification in IT audit. A
CISA credential makes a regular auditor IT aware, but technical audits need core hands-on experience
in Information Technology and Information security areas” Susheel Raje, Head of Internal Audit at
Commercial Bank International.
“While recruiting IT auditors, hire for IT line experience and train
for IT audit experience”
Adil Buhariwalla, Managing Partner - MASC International and member of the Institute of Internal Auditors’
Committee of Research and Education Advisors
13
UAE Internal Auditors Association
Professional Certificates
When survey participants were asked to identify the professional certifications that they are holding
in areas other than internal auditing, 19% of the UAE participants indicated that they are holding
Information Systems Auditing Certifications (such as CISA, QiCA, CRISC), almost doubling the global
percentage of ten percent. Concerning information security six percent of the UAE participants hold
related professional certifications (such as CISM, CISSP, CSP, CDP, CISRCP) compared with only three
percent of the global participants. Exhibit 1.1 shows these results.
Exhibit 1.1 IT Related Professional Certifications
10%
Holders of information systems auditing
certifications (such as CISA, QiCA CRISC)
19%
3%
Holders of IT security certifications
(such as CISM, CISSP, CSP, CDP, CISRCP)
6%
0%
5%
10%
Global
15%
20%
UAE
The results reflect the UAE’s market demand for skilled individuals in the areas of information systems
auditing and security and the positioning of the UAE as an attractive market for top notch talent globally.
According to Susheel Raje “The UAE is a highly competitive market which has access to both global and
regional talent. I have not had any particular difficulty when we looked at employing qualified IT auditors
and the UAE market has ample supply”.
A further analysis of survey participants holding information system auditing certifications showed that
42% of those are in a senior manager position or above, much exceeding the similar global average
of 26%. This shows internal audit leadership attention to information technology in the UAE and is
potentially one of the reasons why the UAE performed better than the global average in most of the
areas analyzed in this report.
While the above results are promising compared to the global average, there is still a room for
improvement. The IPPF standards require all auditors to have sufficient knowledge of key information
technology risks and controls and available technology-based audit techniques to perform their assigned
work. In our opinion, obtaining CISA for all auditors including non IT specialized can help meet this
requirement. “I want as many of my generalized non-IT auditors to be CISA certified as possible, as they
all need to have IT awareness” says Susheel Raje.
IT Skills that the Internal Audit Departments are Recruiting
Despite the positive results in the UAE regarding IT education and certification, survey data showed that
internal audit departments are still recruiting or building IT audit skills in: IT in general (34%), data mining
and analytics (34%), and cybersecurity and privacy (15%). When compared to global averages the UAE
data was in line with the global results. Exhibit 1.2 compares the UAE to global results in the IT related
skill set sought after. However, it should be noted that IT related skill set was not among the top 5 skills
being recruited or built in the UAE.
14
How Technology is Shaping Internal Auditing
Exhibit 1.2 IT Skills Internal Audit Departments are Recruiting or Building
38%
Information technology (general)
34%
31%
Data mining and analytics
34%
14%
Cybersecurity and privacy
15%
0%
10%
20%
Global
30%
40%
UAE
“The risk of
cybersecurity is very
real and exists now!”
While 80% of UAE survey respondents indicated that they expect audit activity related to cybersecurity
will increase in the next 2-3 years, it was surprising to see that only 15% are building or hiring the
related skill set. One possible explanation is that internal audit departments in the UAE are outsourcing
this highly specialized technical area. “Cyber security is a very specialized technical area, getting
external help in this area is highly effective. Reliance may also be placed on the 2nd line of defense but
internal audit should verify that it is solid enough” says Torben Hilbertz, VP Internal Audit at Abu Dhabi
Airports.
Adil Buhariwalla,
Managing Partner –MASC
International and member
of the Institute of Internal
Auditors’ Committee of
Research and Education
Advisors
According to Aldrin Sequeira, Chief Internal Audit Officer at Jumeirah Group: “I would like to think
that the lower percentage recruiting for cybersecurity and privacy skill sets is owing to this work
being outsourced so that the Board can be comfortable as it is specialized and requires continuous
monitoring. Alternately, this area can be managed internally by increasing skill sets of Information
Security and Internal Audit functions. Either way, it requires a significant investment in technology and
resources”.
On the other hand the lack of recruiting cybersecurity skill-set may potentially signal lack of
recognition of the urgency of the issue. “People are not recruiting because some people think that
cybersecurity is not a significant enough current risk to their business or they think a cybersecurity
breach may happen elsewhere but not to their business. However, cybersecurity threat is already on
the rise. Companies records are hacked, credit card details and other sensitive information is stolen and
leaked. We even hear of social media accounts being hacked. The risk is very much real; thinking that a
serious threat is 2 to 3 years away, gives a false sense of security” says Adil Buhariwalla.
We further explored the skill set being sought after when hiring IT audit resources with the IT audit
practitioners in the UAE. The primary focus seems to be on technical skills when hiring IT auditors as
opposed to general internal audit skills. UAE CAE’s prefer to hire IT auditors with focused technical
knowledge in the technologies relied on by their organizations. “When you recruit, look for multiskilled internal auditors who have good IT as well as business skills. You don’t necessarily need to look
for candidates who have IT audit experience but look for people who have IT line function experience
and who have the potential to think like an IT auditor. Also, before you look outside the company, look
for experienced persons within your own IT department. You can always train them, and this keeps
employees motivated” says Adil Buhariwalla.
15
UAE Internal Auditors Association
IT Audit Specialization and Sourcing
When the UAE participants were asked about their area of technical specialization, ten percent indicated
that they are specialists in Information Technology, which is the same percentage we received from the
global participants.
We further explored the sourcing arrangements of IT audit with the practitioners we interviewed as part
of developing this report. IT audit seems to be one of the ideal candidates for outsourcing for companies
not willing to build their own team given their organization level of dependence on IT and the nature
of the organization’s IT risk exposure. According to Torben Hilbertz “The need for having specialist IT
resources in-house within audit departments depends on the nature of the industry and the levels of
risks associated with information technology. If IT represents a smaller percentage of the audit plan,
outsourcing is a cost effective approach to cover it”.
Furthermore, even organizations having their own in-house teams, may still rely on outsourcing providers
for IT areas of high technical specialization as it is not cost effective to build IT audit teams capable
of covering all specialized IT areas. Companies facing such situation follow a hybrid model where they
hire generalist IT auditors and rely on external providers for high risk technical areas. Aldrin Sequeira
commented “Recruiting an IT auditor will not address all IT issues or challenges faced by an organization
since each area within the IT remit is highly technical and specialized. Organizations cannot afford to
have specialized skill sets for each area and therefore generally recruit a limited number of IT auditors
(who generally provide assurance on IT Governance, general IT applications and processes) and rely third
party assurance on specialized areas”.
16
Section 2
Understanding & Responding
to Technology Risks
17
17
UAE Internal Auditors Association
Technology risks are becoming exceedingly difficult to address. The very fast pace of technology
disruption means that technology risks are constantly changing. Internal auditors need to be up-to-date
and advise management and the audit committee on the best way to address current and emerging IT
risks. “You need to be relevant to the business. You need to audit risks that matter and look at business
initiatives and ongoing projects. For instance, IT projects gone wrong can put you back in terms of time,
effort and resources. Also, focusing on topical issues such as cybersecurity is important. Internal audit
should not restrict itself to relatively less complex areas but should provide assurance around risks that
matter,” says Susheel Raje.
“Focus on IT emerging
risks is increasing as it
is not what you know,
but what you don’t
know that can pose
the biggest risk to the
organization.”
Aldrin Sequeira, Chief
Internal Audit Officer at
Jumeirah Group
This Section tries to understand the extent of internal audit effort being placed on technology risks and
how internal auditors are responding to these risks by looking at four different aspects: IT Risk as a Top
Five Organizational Risk, IT Risk as Part of Internal Audit Plans, IT Governance Activity, Audit Activities
Relating to IT Security, Audit Activities Relating to Emerging IT Areas, and IT Audit Trends. Where
applicable, the relative importance of IT risk is explored based on the IT related responses in the Survey’s
results.
IT Risk as a Top Five Organizational Risk
Survey respondents were asked to rank the top five risks that executive management and internal audit
are focusing on. The UAE results showed that only 34% believed executive management focused on IT as
a top five risk while 59% responded that internal audit focused on IT as a top five risk (exhibit 2.1).
Exhibit 2.1 IT Risk Ranked Among Top Five Risks
Ranked by:
UAE
Global Average
Executive management
34%
42%
Internal audit
59%
54%
Expectation difference
-25%
-12%
These results show that, both globally and in the UAE, there is more focus placed on IT risk by the internal
audit department than executive management, which may indicate that internal auditors are not aligned
to executive management expectations. Similarly, compared to the Global Average, the UAE has double
the expectation gap. On the other hand in the UAE financial sector, 60% of CAEs believed that IT was a
top five risk that executive management was focusing on. On these results, Torben Hilbertz commented
“The mismatch about the perception of top risks between management and internal audit should not
exist. Internal audit has a mandate to raise management awareness about the emerging technology risks
if not already known by top management.”
In addition, when internal auditors were asked to identify the top five risks that their internal audit
department is focusing the greatest level of attention in 2015, operational risk is identified as the number
one concern by UAE internal auditors and globally, followed by strategic business risk. Further, IT risk
is among the top five risks on which internal auditors (both globally and in the UAE) are focusing the
greatest level of attention in 2015, according to survey respondents (exhibit 2.2). However this is not the
case for executive management which ranked IT risk in seventh place.
18
How Technology is Shaping Internal Auditing
Exhibit 2.2 Ranking of Risk in the UAE
Ranking
by IA
Ranking by
Executive Management
Operational
1st
1st
Strategic business
2nd
2nd
Information Technology (IT)
3rd
7th
Risk
To some internal audit leaders these results are not unexpected. “For internal auditors, providing risk
assurance is their bread and butter. They keep themselves abreast of the latest risk. They may not be able
to convince top management about the vulnerability of certain specific IT risks as management may
believe these to be managed effectively, or management may believe that their business is not vulnerable
to these risks. Sometimes demonstrating a particular vulnerability by conducting an audit may be the
best way to convince management. If you talk generic IT risks, you may not get the required traction.”
says Adil Buhariwalla.
IT Risk as Part of Internal Audit Plans
When we look at internal audit plans, IT risk makes up only 9% of internal audit plans in the UAE and
8% of plans globally (exhibit 2.3). Internal auditors, both in the UAE and globally, allocate the largest
percentage of their internal audit plans to ooperational risk which comprised 26% of internal audit plans
in the UAE (25% globally).
Exhibit 2.3 IT Risk as a % of Internal Audit Plans
Risk
UAE
Global average
Information Technology (IT)
9%
8%
Interestingly, when we look at the UAE data from the Organization type point of view, we notice that the
percentage of internal audit plans dedicated to IT risk increases to 13% in the financial sector (exhibit
2.4). This is not unexpected given that the level of business automation in the financial sector is usually
higher than other industries.
Exhibit 2.4 IT Risk as a % of Internal Audit Plans in the UAE (by Organization Type)
Organization Type
% of IA Plan
Financial sector (privately held and publicaly traded)
13%
Public sector (including government-owned operations)
9%
Privately held (excluding financial sector)
8%
Publicly traded (excluding financial sector)
8%
UAE average
9%
19
UAE Internal Auditors Association
Also, 42% of CAEs believe that focus on IT risk will increase in 2015 as compared to 2014 (exhibit 2.5).
This is in line with expectations globally, however in the UAE 67% of companies in the financial sector
believe that the focus on IT risk in internal audit plans will remain unchanged.
Exhibit 2.5 Expected Change in Internal Audit Focus on IT Risk in the UAE
Information Technology (IT)
Increase
No change
Decrease
UAE
42%
49%
9%
Global
42%
53%
5%
On a different note and based on anonymous feedback received from interviews, it was noted that there
are some internal audit departments in the UAE that do not conduct audits of IT or related areas! The
reason cited was not the lack of technology risks or processes but instead the mandate of the internal
audit function did not extend to the internal audit department. In some cases, reliance was placed on
the second line of defense (risk management, compliance, etc) and management reviews to provide
assurance that IT risks were being adequately managed.
IT Governance Activity
As mentioned in the Introduction, the internal audit activity must assess whether the IT governance
of the organization supports the organization’s strategies and objectives (Institute of Internal Auditors
Standard 2110.A2). This means that CAEs need to be prepared to evaluate this key aspect of the overall
IT landscape to determine whether there is overall IT alignment to the business, cost vs. benefit and
adequate measurement of the IT function’s performance among other things.
However when CAEs were asked about whether they carry out reviews of governance policies and
procedures related to the organization’s use of information technology (IT), a surprising 30% in the UAE
stated that they carry out minimal or no reviews of IT Governance (exhibit 2.6).
Exhibit 2.6 Extent of IT Governance Activity
None
Minimal
Moderate
Extensive
UAE
13%
17%
48%
22%
Global
9%
22%
45%
23%
The UAE results are very similar to those globally as most internal audit departments carry out moderate
to extensive reviews of IT Governance. Also similar to global results, small internal audit departments
appear to have difficulty allocating time to review IT governance. Both globally and in the UAE, around
a fourth of internal audit departments with less than 4 auditors stated they minimally or do not conduct
reviews of IT governance.
20
How Technology is Shaping Internal Auditing
So why are around 1/3 of internal auditors in the UAE not placing adequate focus on IT governance?
Adil Buhariwalla explains, “It’s not IT governance that is the issue, the issue is whether auditors know
enough about auditing corporate governance in general. Many auditors have the theoretical knowledge
of corporate governance, but don’t know how to go about auditing it.” However, there is a difference as
it relates to the financial sector in the UAE according to Susheel Raje who commented, “In my opinion, IT
governance is an area extensively covered by IT auditors in the banking sector.”
Audit Activities Relating to IT Security
When internal auditors in the UAE were asked about the extent of the internal audit activity that is
directed toward IT security, the responses showed that the most extensive internal audit activity is
directed towards the general IT risks (exhibit 2.7), followed by physical security and cybersecurity.
Exhibit 2.7 Extent of IT Security Activity in the UAE
Moderate
None to
to Extensive
NET
Minimal
General information
technology (IT) risks
16%
84%
100%
The physical security of your
organization’s major data centers
21%
79%
100%
The cybersecurity of your
organization’s electronically
held information
30%
70%
100%
The security of your
organization’s internal intranet
31%
69%
100%
The management, use, and access
of mobile devices owned by
individuals of your organization
41%
59%
100%
The security of your
organization’s external websites
34%
66%
100%
The organization’s procedures for
how employees use social media
49%
51%
100%
The area least focused on by internal audit from the IT security perspective is the organization’s
procedures for how employees use social media (49% minimally or don’t put any effort).
There are a number of types of IT technology topics that are taking the spotlight nowadays in many
organizations. Such topics include, but not limited to cybersecurity, intranet, mobile devices and
social media. When we look at the UAE results compared to Global results, we see that UAE audit
departments focus on information security areas exceed the global average in all domains. Of
particular note are the following:
21
UAE Internal Auditors Association
Cybersecurity
Accounts from the media show that all organizations, small or large, governmental or private, and profit
or nonprofit are under threat and often attacks by intruders who intend harm to these organizations.
“There are many predators (professionals or independents) that thrive on hacking or penetrating sensitive
organization data. If successful, this can cause a further raft of issues including, reputation damage,
business disruption and even possible litigation. Hence the cyber security risk needs to be carefully
managed,” says Aldrin Sequeira.
Internal auditors in all corners of the globe are concerned about cybersecurity attacks. Internal auditors
in the UAE are even more concerned about such threats. For instance, 29% of UAE internal auditors
indicated that they exert intensive level of their internal audit activities in mitigating the risk of
cybersecurity compared with only 20% globally. On the other side of the scale, only 9% of UAE-IA stated
that they do nothing about these risks compared to 17% globally (exhibit 2.8).
Exhibit 2.8 The Extent Of “The Cybersecurity Of The Organization’s Electronically Held
Information” For Internal Audit
UAE
9%
Global
62%
17%
0%
29%
62%
20%
1-None
40%
20%
60%
3-Moderate + 2-Minimal
80%
100%
4-Extensive
Susheel Raje, emphasized the importance of good cybersecurity in the financial sector “In the banking
sector, one cannot take chances ... otherwise customers will lose faith in the institution. The security
around online and mobile banking has to be robust. Cybersecurity breaches can cause major reputation
damage, negatively impact business operations and result in loss of customers.”
Mobile Computing
Handheld devices are extremely popularized for the last ten years. More and more organizations are
using such devices in conducting their business away from stationary devices. Mobile devices bring
many benefits to organizations including higher profitability and improve access to information from
any location. However, there is a heightened inherent IT and physical risks associated with these
devices including loss or theft of sensitive information, unauthorized access to sensitive information or
applications and loss of governance over data, applications, risks and audits (ITPC, Managing the Benefits
and Risks of Mobile Computing, 2011). The UAE internal auditors have expressed concerns with the
potential risks attached to mobile computing at par with the global internal auditors (exhibit 2.9).
22
How Technology is Shaping Internal Auditing
Exhibit 2.9 the management, use, and access of mobile devices owned by individuals or your
organization
16%
UAE
62%
20%
Global
0%
22%
63%
20%
1-None
17%
60%
40%
80%
3-Moderate + 2-Minimal
100%
4-Extensive
Social Media
“If your company is
using social media,
then your internal
auditors should be
auditing it.”
Susheel Raje, Head
of Internal Audit at
Commercial Bank
International
The use of social media by employees during and after business hours can strengthen relationships
with customers, enhance brand awareness, and increase revenues. But these benefits come with risks,
including brand and reputational damage, regulatory and compliance violations, data leakage, viruses
and malware, and loss of employee productivity (Institute of Internal Auditors, Tone at the Top, October
2013). “Social media is certainly one of the emerging risks that require IA attention; however, it is not
merely an IT issue. Increased awareness on social media etiquette by having a proper social media policy
and adherence to such a policy by monitoring social media traffic will help in addressing the related risks,”
says Aldrin Sequeira.
Organizations need to establish policies related to the use and content of social media during or after
business hours. Doing nothing is not an option. Such policies may include identifying which employees
are using social media, train employees and executives, determine who will and won’t speak for the
company and monitor online chatter (ibid). Internal auditors have a critical role to play in monitoring
such policies and it should be included in the audit plans. Most UAE internal auditors are aware of the
risk and benefits of using social media but more effort is still needed. Of the 360 UAE internal auditors,
57% are spending moderate efforts in formulating and enforcing policies related to social media, 21% are
spending extensive efforts while 21% are doing nothing (exhibit 2.10).
Exhibit 2.10 the organization’s procedures for how employees use social media
21%
UAE
Global
57%
27%
0%
21%
61%
20%
1-None
40%
60%
3-Moderate + 2-Minimal
12%
80%
100%
4-Extensive
23
UAE Internal Auditors Association
To help explain the results, Adil Buhariwalla commented “Many internal auditors don’t know about the
specific risks of social media. They know the link that social media can have to the company’s reputation
risk, but not know enough about specific risks associated with specific types of social media.”
External Websites
25% of the internal auditors in the UAE have expressed concerns with the potential risks associated with
the security of the external websites compared to 17% globally (exhibit 2.11).
Exhibit 2.11 The Extent Of “The Security of Organization’s External Websites” For the Internal Audit
13%
UAE
62%
24%
Global
0%
25%
59%
20%
1-None
40%
17%
60%
80%
3-Moderate + 2-Minimal
100%
4-Extensive
Audit Activities Relating to Emerging IT Areas
Internal auditors were asked to provide their opinions on the level of inherent risk relating to certain
technology areas in their company, including certain emerging IT areas such as virtual servers and big
data. The top 3 areas of inherent risk (based on a response of Moderate to Extensive) were Data breaches
that can damage organization’s brand, Firewall reliability, and Use of secure coding (exhibit 2.12).
Exhibit 2.12 Perceived Level of Inherent Risk for IT Areas in the UAE
Moderate
None to
to Extensive
Minimal
NET
24
Data breaches that can
damage organization’s brand
19%
81%
100%
Firewall reliability
21%
79%
100%
Use of secure coding
22%
78%
100%
Service-oriented
architecture reliability
22%
78%
100%
Detection if imbedded
malware in hardware
22%
78%
100%
Virtual server reliability
22%
78%
100%
Online disruptions
that can damage the
organization’s brand
23%
77%
100%
Big data reliability
24%
76%
100%
How Technology is Shaping Internal Auditing
If we look at the data from a different angle, the top three areas of “Extensive” inherent risk in the UAE are
1) Firewall reliability, 2) data breaches or 3) online disruption that can damage organization’s brand.
Given the importance of Emerging technologies, we will take an in-depth look at the UAE results
compared to those globally:
Virtual server reliability
From the graph below (exhibit 2.13), we can see that that internal auditors in the UAE felt that the level of
inherent risk is more extensive than that globally (33% extensive risk in UAE compared to 24% globally).
Exhibit 2.13 The Level of Inherent Risk for Virtual Server Reliability
UAE 3%
Global
19%
22%
8%
0%
33%
50%
20%
1-None
46%
24%
60%
40%
2-Minimal
80%
100%
4-Extensive
3-Moderate
Big data reliability
Similar to the above, internal auditors in the UAE also felt that the level of inherent risk for big data is
more extensive than that globally (35% extensive risk in UAE compared to 27% globally).
Exhibit 2.14 The level of inherent risk for Big Data Reliability
UAE 2%
Global
7%
0%
22%
41%
44%
22%
20%
1-None
35%
40%
2-Minimal
27%
60%
3-Moderate
80%
100%
4-Extensive
IT Audit Trends Over the Next 2 – 3 Years
Part of the Survey’s approach was to look ahead and use the insights of internal audit practitioners to
identify trends in IT audit activities relating to certain technology areas over the next two to three years.
Not surprisingly, both in the UAE and Globally, cybersecurity was selected by a vast majority of internal
auditors as the top area which is expected to have an increase (exhibit 2.15).
25
UAE Internal Auditors Association
Exhibit 2.15 Level of Inheret Risk Of “The Cybersecurity Of Organization’s Electronically Held
Information”
80%
UAE
Global
2%
3%
75%
0%
20%
60%
40%
Increase
Decrease
18%
22%
80%
100%
Stay the same
This was followed in the UAE by disaster recovery/crisis management and control over data quality.
None of the areas surveyed were expected to show a decrease in activity (exhibit 2.16).
Exhibit 2.16 UAE IT Audit Trends
Increase
26
Decrease Stay the Same
NET
Of the cybersecurity of your
organization’s electronically
held information
80%
2%
18%
100%
Of disaster recovery,
contingency planning,
or crisis management
73%
3%
24%
100%
Of the control over the
quality of the organization’s
data
72%
4%
24%
100%
Project management
assurance of major projects
71%
3%
26%
100%
of IT procurement,
includingthird parties or
outsourced services
67%
6%
28%
100%
of the security of your
organization’s external
websites
66%
4%
30%
100%
of the organization’s
procedures for how
employees use social media
related to the organization
64%
5%
30%
100%
of the physical security of
your organization’s major
data centers
62%
9%
29%
100%
Section 3
Using Technology to Enhance
Internal Audit Processes
27
UAE Internal Auditors Association
The Institute of Internal Auditors encourages its members to utilize technology in the performance of the
internal audit activities. The IIA’s IPPF states that “in exercising due professional care internal auditors
must consider the use of technology-based audit and other data analysis techniques” (1220.A2). Thus,
it is the expectation that modern internal auditors are to use as much technology as feasibly possible in
order to increase the efficiency and effectiveness of the internal audit processes.
Level of Reliance on Technology to Support Internal Audit Processes
Survey results showed that UAE internal auditors have used technology across the entire audit process
much more extensively than their counterparts globally. For instance, as shown in Exhibit 3.1, 52%
of the UAE respondents stated that they use technology extensively across the internal audit process
including data mining and data analysis compared to only 39% globally. Also, only 13% of UAE auditors
who responded to the survey indicated that they rely primarily on manual internal audit processes while
globally the percentage is 23%. One can conclude that UAE auditors are more attune to adopting and
using technology than their counterparts globally.
Exhibit 3.1 Level of Reliance on Technology to Support Internal Audit
Primary reliance on manual systems and processes
23%
13%
Audit methodology supported by appropriate technology + Extensive use of
technology across the entire audit process, including data mining and analysis
39%
Some use of electronic workpapers or other
office information technology tools
39%
Global
35%
52%
UAE
According to Michael Gowell, General Manager and Senior Vice President at TeamMate, Wolters Kluwer
This higher than average percentage can be attributed to the following factors:
1. The strong technology infrastructure that exists in the region.
2. In countries such as the UAE, with higher employee costs the effective use of audit technology can be a powerful capacity multiplier – which enables audit departments to leverage their audit department resources.
3. The strong and active Institute of Internal Auditors presence in the UAE has a robust correlation with
audit technology usage. One of the factors influencing this correlation is the fact that the effective use
of audit technology can facilitate compliance with the IPPF Standards.
“While audit tool usage is high in the UAE, there is still plenty of headway for
improvement. The UAE audit community has the infrastructure, capability and
expertise at all levels to be a global leader in audit technology tool usage.”
Michael Gowell General Manager and Senior Vice President TeamMate, Wolters Kluwer
28
How Technology is Shaping Internal Auditing
We further analyzed the results to explore whether there are differences in the reliance on technology
depending on the organization type. Financial sector and public sector standout in the UAE when it
comes to extensive use of technology across the entire audit process where the percentages are 67%
and 55% as depicted in Exhibit 3.2 below:
Exhibit 3.2 Extensive Use of Technology Across the Entire Audit Process Based on Organization Type
Financial sector (privately held and publicly traded)
45%
Public sector (including government agencies
and government-owned operations)]
67%
37%
Publicly traded (excluding financial sector)
55%
35%
Privately held (excluding financial sector)
43%
36%
39%
Global
UAE
When we analyzed the results taking into consideration the internal audit department size, the data show
that the larger the number of full time staff in the department the more likely it is that they heavily rely
on information technology across the entire audit process. The ratio reaches 100% in UAE and 67%
globally for internal audit departments with 25 or more full time staff as depicted in Exhibit 3.3 below. As
the internal audit departments grow in size it becomes imperative to rely on technology to manage the
size of the information which needs to be handled:
1 to 3
25%
22%
Exhibit 3.3 Extensive Use of Technology Across the Entire Audit Process Based on Audit Department Number
of Fulltime Staff
4 to 9
38%
58%
10 to 24
1 to 3
4 to 9
10 to 24
25 to 49
25%
22%
38%
25 to 49
53%
57%
67%
100%
58%
53%
Global
UAE
57%
67%
100%
Global
Technologies used by Internal Audit Processes
UAE
When the UAE internal auditors were asked about a list of certain technologies, electronic workpapers
emerged as the most widely used technology by UAE auditors, followed by data analytics, internal audit
risk assessment, and data mining. When comparing the results from the UAE to global, the data showed
that the UAE usage is higher than the global average for all internal audit technologies assessed. Exhibit
3.4 presents the full results in UAE as compared to global.
29
UAE Internal Auditors Association
Internal quality assessments using an automated tool
Internal quality assessments using an automated tool Continous/real-time
47% auditing
47%
37%
Continous/real-time auditing
52%
Flowchart or process mapping software
37%
52%
44%
44%
57%
Flowchart or process mapping
softwaretool to manage the information
57%
An automated
collected by internal audit
An automated tool to manage the information
59%
collected by internal
audit
Computer-assisted
audit technique (CAAT)
52%
59%
Computer-assisted audit technique
60%and track
An(CAAT)
automated tool to monitor
audit remediation and follow up
An automated tool to monitor and track
61%
audit
remediation
and
up audit planning and scheduling
An automated
tool
forfollow
internal
48%
61%
48%
60%
52%
62%
62%
An automated tool for internal audit planning and scheduling
A software or tool for data mining
46%
63%
A software or tool for data mining
63%
A software or a tool for internal audit risk assessment
64%
64%
A software or a tool for internal audit risk assessment
An automated tool for data analytics
65%
An automated tool for data analytics
Exhibit 3.4 Technologies Used Extensively or Moderately
by Internal Auditors
65%
Electronic workpapers
47%
Continous/real-time auditing
72%
37%
52%
Flowchart or process mapping software
UAE
UAE
44%
57%
59%
48%
Computer-assisted audit technique (CAAT)
60%
48%
An automated tool to monitor and track
audit remediation and follow up
61%
An automated tool for internal audit planning and scheduling
62%
A software or tool for data mining
52%
46%
63%
A software or a tool for internal audit risk assessment
64%
An automated tool for data analytics
65%
53%
50%
52%
77%
Electronic workpapers
Global
52%
An automated tool to manage the information
collected by internal audit
72%
Global
The fact that electronic working papers systemsUAEtop the list of technologies
extensively used in the
UAE and Global is not unusual. All other technologies analyzed are typically used discretely when and
as needed whereas the electronic working papers systems are the tool continuously used during the
execution of any audit assignment.
Michael Gowell commented “the value proposition for electronic working paper tools is first and foremost
to drive efficiency into the overall audit process. Using a purpose-built electronic working paper solution
can substantially reduce the documentation time and allow auditors to spend more time on the value
added audit work. Additional benefits of work paper automation include: easier searching across audits,
remote review, increased security, enhanced transparency, audit file consistency, enhanced reporting,
effective knowledge management – just to name a few”.
It is worth noting that electronic workpapers are usually a module within integrated audit management
systems which provides many other addition features such as: planning and scheduling, risk assessment,
action plans tracking and follow-up, documentation filing, etc… According to Susheel Raje “For
organisations with local operations, you can run an audit department without an Audit Management
System; however, it is pretty much an expectation to have an Audit Management System these days.
In particular, such a system helps improve the efficiency of the audit process, especially the ease of
documentation and the follow-up of audit observations”
Internal Audit Usage of Data Mining or Data Analytics
Data mining and analytics are essential activities which should be used by internal auditors. The purpose
of data mining and data analytics is to search for patterns, plausible interrelationships and anomalies,
which will help in improving operational efficiency and effectiveness, detection and prevention of fraud,
reliable financial reporting and adequate compliance with laws and regulations.
Survey data showed that more than 65% of UAE survey responders use data analytics tools extensively or
moderately compared to 52% globally as showed in Exhibit 3.5.
Exhibit 3.5 Usage of Data Analytics in Internal Audit
Extensive
Extensive
19%
Moderate
30
19%
27% Moderate
33%
Minimal
23%
18%
None
24%
17%
Global
27%
33%
38%
Minimal
38% 23%
18%
None
24%
17%
Global
UAE
50%
52%
77%
77%
Electronic workpapers
Internal quality assessments using an automated tool
53%
UAE
Glob
How Technology is Shaping Internal Auditing
When conducting the survey, responders were asked about the level of utilization of data mining tools and
data analytics tools in two separate questions. However, when analyzing the results we noted that the
utilization levels are identical both in the UAE and globally. In data science there is a difference between
data analytics and data mining, which in our opinion, survey respondents may not have been aware
of. The primary difference is scope, purpose, and focus. Data analytics deals with applying algorithms
to derive insights from various data sets by looking for meaningful correlations with the purpose of
drawing conclusion about the information. On the other hand, data mining involves analyzing vast data
sets typically stored in data warehouses, using sophisticated software tools with the aim to identify
undiscovered patterns and establish hidden relationships (reference http://searchdatamanagement.
techtarget.com/definition/data-analytics).
When UAE auditors were asked about the nature of the activities that they use data mining and data
analytics for, they identified several activities including identification of fraud, monitoring various
controls, testing of the whole population and testing for compliance with laws and regulations. Exhibit 3.6
presents the results. However, mining and analyzing data for management was not selected by neither
UAE nor auditors globally as one of the top five internal audit activities that bring the most value to
organizations.
Exhibit 3.6 – Usage of Data Analytics and Data Mining
Identification of possible frauds
54%
49%
Potential issues discovered through risk or
control monitoring
55%
47%
Tests of entire populations rather than sampling
52%
Tests for regulatory compliance
38%
Business improvement opportunities
40%
Other
20%
47%
38%
32%
16%
UAE
Global
Survey data also showed that not all data mining and data analytics assignments are performed by internal
audit staff. On average, about 25% of data analysis is performed outside of the internal audit department
in the UAE where as the global average is 28%.
While UAE data compared to global average with regarding the use of data analytics is encouraging, there
is still room for improvement. The survey results show that 18% use data analytics minimally and 17% do
not use any such techniques or tools.
“You should understand the data before starting the audit work. Data analytics
is a key enabler for auditors to learn about the area being reviewed and it is often
interesting for management when they see the outcome of the analytics done by the
audit team”
Torben Hilbertz, Vice President Internal Audit, Abu Dhabi Airports
31
UAE Internal Auditors Association
All UAE practitioners interviewed to comment on the results of the survey had strong opinions supporting
the use of data analytics and there was a consensus that this utilization is expected to continue to grow in
the future given the growth in the data being generated. “Any internal audit department which does not
equip itself with data analytics capabilities, will not be an effective department for long, and will not be
able to deliver value. In today’s world, to provide assurance without data analytics means that you will
have to either audit less areas, or you will need to recruit more - both of which are not effective” says
Adil Buhariwalla. “Expectations are getting higher in terms of use of data analytics; you need an IT auditor
who can speak the same language as the IT department, be able to understand the technology nuances
such as database structures and help extract the right data. Only this would help CAEs provide effective
assurance” commented Susheel Raje.
Michael Gowell stresses the importance of obtaining management buy-in for implementing data analytics
technologies in internal audit “The data analytics survey results for UAE compared to the global results
are encouraging, however the internal audit profession as a whole could benefit by stepping up its use
of data analytics. Based on our work with over 2,500 internal audit departments we have found that
virtually all world class audit departments leverage data analytics as a core strategic initiative. One
of the keys to successfully integrating data analytics as a core component of the audit program is
“management buy-in.” Internal audit departments that can successfully demonstrate to executive
management the value added benefits that data analytics provides are far more likely to obtain the
budget to invest in the tools and training necessary to instantiate data analytics into their department”.
Internal Audit Usage of Continuous Auditing
GTAG 3 defines continuous auditing as “the combination of technology-enabled ongoing risk and
control assessments. Continuous auditing is designed to enable the internal auditor to report on subject
matter within a much shorter timeframe than under the traditional retrospective approach”. Continuous
auditing is widely perceived in audit circles as a disruptive emerging technology which, if adopted,
will revolutionize internal auditing, but has this actually taken place? In 2010 CBOK survey, 52% of
respondents believed that the utilization of continuous auditing will increase over the coming five years.
When UAE survey responders were asked about the level of utilization of continuous auditing 20%
indicated that they use it extensively and 32% indicated that they use it moderately. Exhibit 3.7 shows
the utilization of continuous auditing within the UAE and globally:
Exhibit 3.7 Usage of Continuous Auditing by Internal Auditors
Extensive
Moderate
Minimal
None
14%
20%
30%
25%
32%
25%
31%
Global
23%
UAE
Within the UAE survey data showed that continuous auditing is among the least extensively utilized
internal audit technology, compared to all other internal audit technologies, and the global results show
even less extensive utilization of continuous auditing.
32
How Technology is Shaping Internal Auditing
“It is encouraging that continuous auditing is a hot topic in the internal audit
community, however, it is safe to say that the use continuous auditing has not
materialized as fast as the vision”
Michael Gowell General Manager and Senior Vice President TeamMate, Wolters Kluwer
Overall it seems there is an increase in the utilization of continuous auditing over time and this trend
seems to be continuing in the future but in a slower than anticipated rate. Some of the potential
challenges slowing the adoption of continuous auditing are:
1. Inadequate management of the relationship with the IT department who are the custodians of the data.
According to Michael Gowell “One of the critical success factors for accelerating continuous auditing
adoption trend is for internal audit to develop an enhanced partnership with the IT department. One
emerging best practice for establishing a solid relationship with IT is to hire an IT expert into the audit
department. This IT skilled auditor will have the tools to develop the deep level of partnership with IT
that is necessary to implement sustainable continuous auditing”.
2. Challenges in obtaining unrestricted access to data. Adil Buhariwalla commented “A very important
reason for the fact that continuous auditing is not as widespread as it should be, is that the internal
audit function may not have unrestricted access to all data across the organisation. Internal audit needs
unfettered access”.
3. Potential lack of the required data analytics skill set. Hiring generalist IT audit specialists may not
warrant availing the data scientist skill set needed to support an effective continuous auditing program.
Survey data show that UAE internal audit community is aware and actually working on overcoming
this challenge where 34% of respondents indicated that they are recruiting or building data mining
and analytics skill set. According to Aldrin Sequeira “Heads of Internal Audit departments often look
for several qualities when recruiting team members. One of more important criteria is professionally
certified individuals with the necessary industry or specialist experience and excellent interpersonal
skills. I personally believe that data mining and analytical skill sets are gaining more importance in
order to complement and enhance the quality of the financial and operational audits”.
“The best combination to make continuous auditing work is to have the right
tone at top to support internal audit access, as well as technical expertise for data
analytics and writing programming scripts”
Adil Buhariwalla, Managing Partner – MACS International and member of the Institute of Internal Auditors’
Committee of Research and Education Advisors
A good source of guidance for internal audit departments in implementing an effective continuous audit/
monitoring program is GTAG 3 titled “Continuous Auditing: Coordinating Continuous Auditing and
Monitoring to Provide Continuous Assurance”. The document was recently updated to include guidance
on implementing continuous auditing in a comprehensive organizational context that spans across the
three lines of defense.
33
Conclusion
34
How Technology is Shaping Internal Auditing
Considerations related to information technology are central to any organization’s effort to ensure
that issues are addressed quickly and thoroughly. The knowledge economy complicated by emerging
technologies, such as cloud computing, social media and mobile devices — can challenge the ability
of internal auditors to provide assurance to executives already overwhelmed with rapidly expanding
opportunities and pressures caused by shrinking margins.
“Monitor new technologies and stay informed about emerging risks and periodically
assess whether the resources and requirements are matching each other”
Torben Hilbertz, Vice President Internal Audit, Abu Dhabi Airports
Today, as technology becomes increasingly integrated in business processes, organizations can’t survive
without adopting the right Information Technology solutions. This means that technology topics make
up an ever-increasing percentage of the internal auditor’s professional knowledge and skills set. While
technology background is important in understanding new developments and directions, it is of little
use without continuous acquisition of new knowledge. Corporate auditors need to develop the essential
technical knowledge and skills to audit IT-based controls and processes (Curtis et al., 2009).
When it comes to the UAE, the Survey results show that internal auditors are better qualified, more risk
focused and use technology more than the global average. “Based on both the CBOK survey results and
our work with audit departments in the UAE, it is clear to see that the UAE is emerging as a leader in
the application of technology to support the audit process. We attribute this positive development to
the strong “Technology Tone at the Top” in the UAE. The CAE is best positioned to establish technology
as a key strategic imperative and articulate the benefits of technology to both internally and to the
key stakeholders – and CAEs in the UAE are clearly embracing technology as a strategic imperative,”
according to Michael Gowell.
In short, technology is shaping both what is audited and the way audits are being carried out. Internal
auditors must rise to meet the requirements of our changing world. “The expectations of internal audit
have changed considerably recently and will continue to evolve. Internal auditors are ‘asked to do
more with less’ and are now increasingly involved in areas such as risk management, fraud detection/
monitoring, saving costs and maximizing revenue, identifying opportunities for operational improvements
etc. Internal audit cannot successfully meet such demanding expectations and perform without
enhancing its own IT skill sets, embracing IA technology and using technology based applications to audit
smarter,” recommends Aldrin Sequeira.
The Way Forward
The messages from the Survey and this report need to result in tangible actions for CAEs and internal
audit departments. A recommended list of actions to aid internal auditors in their IT risk efforts, is as
follows:
1. Focus on Cybersecurity Risks – If we look at the survey results and recommendations of the experts, it
is clear that cybersecurity risk is the number one technology risk that organizations are facing. Internal
auditors need to be involved in assessing the organization’s controls and responses to cyber risks and
the potential for data breaches. CAEs must ensure that cybersecurity risk is properly covered in the
internal audit plan. “I advise the CAE’s to look at their audit plan and thoroughly assess the required IT
coverage; the specialized IT audit resources to be made available should match the required coverage in
the plan,” recommends Torben Hilbertz.
2. Use Data Analytics – If your internal audit department has not started using data analytics then you’ve
fallen behind. You also risk providing less effective assurance and risk becoming irrelevant in the future.
“Sample based testing does not give the same degree of assurance as testing of the entire population
would. Data analytics is preferred, as it gives much better audit coverage,” states Susheel Raje. In
addition, data analytics is the one of the main components in order to increase internal audit maturity
and use continuous auditing techniques. Adil Buhariwalla supports this view “The core requirement for
continuous auditing is data analytics. A very important reason for the fact that continuous auditing is
not as widespread as it should be, is that the internal audit function may not have unrestricted access
to all data across the organisation. Internal audit needs unfettered access. The best combination to
35
UAE Internal Auditors Association
make continuous auditing work is to have the right tone at top to support internal audit access, as well
as technical expertise for data analytics and writing programming scripts”.
3. Hire Professionals with Technology Backgrounds – When you have a need to hire IT audit skills
(whether for in-house purpose or when you are outsourcing), hire someone with a technology
background. The internal audit experts interview strongly recommend hiring IT auditors who have
worked in IT departments or who have a technology background given that they can speak the same
language of the business and don’t come from an accounting or core audit background. This gives them
the ability to understand and analyze technical details that core auditors (or core auditors who have
obtained IT certifications) cannot.
“CAEs should invest in training their internal auditors on current
and emerging IT risks”.
Adil Buhariwalla, Managing Partner – MACS International and member of the Institute of Internal Auditors’
Committee of Research and Education Advisors
4. Educate Management – The survey showed that internal auditors are placing much more focus on IT
risks that senior management. It is up to CAEs to educate management on current and emerging IT
risks and the activities that the internal audit department is carrying out in these areas. Further, CAEs
need to promote their IT audit capabilities. Whether it be core capabilities such as ITGC or Application
Audits, Access control audits, etc or more sophisticated capabilities such as Cybersecurity audits,
technology related compliance (ISO, PCI DSS, etc), IT project audits, etc., management should be
aware of what services the internal audit department can provide and what value they can derive from
these services.
5. Audit or Review IT Governance – This may be old news to most CAEs, however the survey results
who that a significant portion of internal auditors in the UAE are not covering IT governance. This is
not only important from a business perspective but is also a requirement of the Institute of Internal
Auditors’s Standards. If you’re not sure how to approach this area, there is plenty of guidance from
the Institute of Internal Auditors and ISACA on this. “It is always useful to refer to GTAGs, COBIT and
other relevant guidance from Institute of Internal Auditors and ISACA for IT audits. Also, ISO is a good
reference point for information security and business continuity audits,” says Susheel Raje.
36
How Technology is Shaping Internal Auditing
References
Curtis, M., Jenkins, J. G., Bedard, J., & Deis, D. (2009) Auditors’ Training and Proficiency in
Information Systems: A Research Synthesis. Journal of Information Systems, 23(1), 79-96.
http://dx.doi.org/10.2308/jis.2009.23.1.79
Hatherell, T. (2014). “Internal audit, Trends and challenges”, Deloitte Inside magazine issue 3,
February 2014, 52-55
Institute of Internal Auditors (2013), Tone at the Top Newsletter, October.
Institute of Internal Auditors (2012), Global Technology Audit Risk Guide (GTAG) 1,
Information Technology Risk and Controls.
Institute of Internal Auditors (2012), International Standards for Professional Practice of
Internal Auditing
37
Appendix 1
Survey Participants
Demographics
38
How Technology is Shaping Internal Auditing
The Global Internal Audit Common Body of Knowledge (CBOK) is the world’s largest ongoing study of the
internal audit profession, including studies of internal audit practitioners and their stakeholders. One of
the key components of CBOK 2015 is the global practitioner survey, which provides a comprehensive look
at the activities and characteristics of internal auditors worldwide. This research report was responded
to by 14,518 participants in 166 countries across the globe (Note: Response rates vary per question). For
the purpose of this study, 361 respondents participated in this study are from the UAE. The following
questions will shed light on the survey participants.
What is your position as an internal auditor in the organization?
41% of UAE based respondents were Senior Managers or above:
Level
%
Chief audit executive or equivalent
23%
Director or senior manager
18%
Manager
27%
Staff
32%
Total
100%
What is the type of organization for which you currently work?
Respondents came from a variety of organization types, although higher percentage of respondents
were from the public sector:
Level
%
Privately held (non-listed) organization
33%
Publicly traded (listed) organization
21%
Public sector
(including government owned organization)
42%
Other
4%
Total
100%
What was the approximate total revenue of your organization in U.S. dollars for the previous
fiscal year?
The vast majority of respondents came from companies with over USD 100 Million in revenues:
Revenues
%
$1 million or less
4%
More than $1 million up to $100 million
13%
More than $100 million up to $1 billion
44%
More than $1 billion up to $10 billion
25%
More than $10 billion
14%
Total
100%
39
UAE Internal Auditors Association
For the entire organization in which you work, what was the approximate total number of fulltime
equivalent employees as of the end of the last fiscal year?
The majority of respondents come from companies with above 1,500 employees:
Employees in Internal Audit
%
Less than 500
24%
500 to 1,500
20%
1,501 to 10,000
44%
Above 10,000
12%
Total
100%
Approximately how many years has the internal audit department been in place at your
organization?
The vast majority of respondents came from companies that have had internal audit departments
for over 5 years:
Years IA Has Been in Existence
%
Less than 5 years
20%
5 to 10 years
41%
11 to 15 years
16%
Above 15 Years
23%
Total
100%
Approximately how many full-time equivalent employees make up your internal audit
department?
The distribution of the number of employees in internal audit shows that the majority of
respondents come from companies with 4 – 24 internal auditors:
Employees in Internal Audit
1 to 3
15%
4 to 9
31%
10 to 24
30%
25 to 49
16%
50 or more
8%
Total
40
%
100%
About the authors
41
UAE Internal Auditors Association
Munir Majdalawieh
Munir Majdalawieh is an academic researcher and a practicing Enterprise Information Systems and
business development professional. He is Associate Professor at Zayed University. Prior to joining ZU in
2012, he worked for the American University of Sharjah (AUS) in UAE for six years and worked for Booz
Allen Hamilton, HP, Compaq, and DEC in the USA for more than 22 years. Dr. Majdalawieh has published
several peer-reviewed papers in international journals and conference proceedings. He is the co-author
of the “Characterestics of an Internal Audit Activity”, a component of the 2010 CBOK study, published by
The Institute of Internal Auditors Research Foundation ( IIARF). Dr. Majdalawieh obtained his Ph.D. in IT
and his EMBA from GMU in VA, USA and his M. Sc. in Computer Science from NU in MA, USA.
Yass Alkafaji
Yass A. Alkafaji, DBA, CPA, CFE is an academician and a practicing CPA for more than 25 years. He is
currently an Associate Professor of Accounting at the American University of Sharjah, UAE where he
teaches auditing and IFRS classes on the graduate and undergraduate levels. Dr. Alkafaji is the co-author
of Book I of the 2010 CBOK study. He received his Doctorate in Business Administration from Mississippi
State University and his MBA from The University of Texas at Austin.
42
TeamMate
TeamMate
Ecosystem for Assurance
®
®
®
Ecosystem for Assurance
Audit
Audit
Controls
Controls
Analytics
Analytics
To achieve new heights, finding the right balance of audit tools is essential. Only
TeamMate offers an integrated set of solutions that include the industry’s leading
To
achieve
new
finding
the right
of
tools
Only
To
achieve
new heights,
heights,
finding
right balance
balance
of audit
audit
tools is
is essential.
essential.
audit
management
system,
anthe
innovative
controls
management
systemOnly
and
TeamMate
offers
an
integrated
set
of
solutions
that
include
the
industry’s
leading
TeamMate
offers
an
integrated
set
of
solutions
that
include
the
industry’s
leading
powerful
data analytics.
audit
audit management
management system,
system, an
an innovative
innovative controls
controls management
management system
system and
and
powerful
data
analytics.
powerful data
TeamMate
AManalytics.TeamMate CM
TeamMate Analytics
TeamMate
TeamMate
TeamMate AM
AM
TeamMate CM
CM
Learn more at: TeamMateSolutions.com
TeamMate
TeamMate Analytics
Analytics
Learn
Learn more
more at:
at: TeamMateSolutions.com
TeamMateSolutions.com
Copyright © 2014 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 3946
Copyright
Copyright ©
© 2014
2014 Wolters
Wolters Kluwer
Kluwer Financial
Financial Services,
Services, Inc.
Inc. All
All Rights
Rights Reserved.
Reserved. 3946
3946
Copyright © 2014 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 3946